# joy, 2003-08-15
rawbody PIC_GIF			/^Content-ID: <pic\d*\.gif>/i
describe PIC_GIF		pic*.gif in attachment, common spam/virus
score PIC_GIF			3

header POSSIBLEVIRUS	Subject =~ /\{Virus\?\} /
describe POSSIBLEVIRUS	possible or cleaned virus tag found in Subject
score POSSIBLEVIRUS	2

# cjwatson, 2003/09/22 2003/10/02
header AV_SCAN		Subject =~ /AntiVirus scan results/
describe AV_SCAN	virus fallout
score AV_SCAN		4

# cjwatson, 2003/09/24
body CORREO_TERRA	/Antivirus de Correo de Terra/
describe CORREO_TERRA	virus fallout
score CORREO_TERRA	2

# cjwatson, 2003/09/24
body WEBSHIELD		/Network Associates WebShield SMTP.*detected virus/
describe WEBSHIELD	virus fallout
score WEBSHIELD		3

# cjwatson, 2003/09/25, joy 2003-10-01
header AV_ALERT		Subject =~ /^(Anti)?Virus Alert/
describe AV_ALERT	virus fallout
score AV_ALERT		4.5

# cjwatson, 2003/09/29
body INFECTED_OBJ	/because contains an infected object/
describe INFECTED_OBJ	virus fallout
score INFECTED_OBJ	4

# joy, 2003-10-01
header AV_RESULTS	Subject =~ /AntiVirus scan results/i
describe AV_ALERT       anti-virus spam
score AV_ALERT          4

# cjwatson, 2004-01-27
header IOL_ALERTA	Subject =~ /IOL - ALERTA de Virus/
describe IOL_ALERTA	misdirected antivirus
score IOL_ALERTA	4

# blarson 2004-04-10
rawbody ZIPCOMPRESSED	/application\/x-zip-compressed/i
describe ZIPCOMPRESSED	zip compressed attachment
score ZIPCOMPRESSED	2

# blarson 2005-04-29
header MICROVIRUS	subject =~ /(?:Current|Latest|Newest|New) (?:Microsoft|Internet|Net) (?:Security|Critical)? ?(?:Patch|Pack|Update|Upgrade)/i
describe MICROVIRUS	microsoft email virus
score MICROVIRUS	4

# blarson 2006-11-21
rawbody AVGMAIL		/\b\-\-\=\=\=\=\=\=\=AVGMAIL/
describe AVGMAIL	avg virus claim
score AVGMAIL		3

# don 2007-06-25 blarson 2007-06-28
# This is %PDF-1.1 base64 encoded
full PDFATTACH		/JVBERi0xLjE/
describe PDFATTACH	PDF Attachment
score PDFATTACH		2		

# blarson 2007-06-29
header PDFNAME		subject =~ /\w\.pdf\b/i
describe PDFNAME	pdf spam
score PDFNAME		3.5

# blarson 2007-07-18
rawbody APPPDF		/\bContent-Type\:\s+application\/pdf/i
describe APPPDF		pdf attachment
score APPPDF		2

# blarson 2007-09-01
body NOVIR		/^No virus found in this incoming message\./
describe NOVIR		bogus no virus
score NOVIR		1

# blarson 2008-08-09
header ANTIGEN		subject=~/Antigen Notification/
describe ANTIGEN	Antigen Notification
score ANTIGEN		4

# cord 2010-05-04
body AUTOMATIC_MESSAGE	/This is an automat(ic|ed) message/i
describe AUTOMATIC_MESSAGE body indicates it is an automated message
score AUTOMATIC_MESSAGE 2.0

# formorer 2012-02-15
header XEROX    subject=~/Scan from a Xerox W./i
describe XEROX  Scanner malware
score XEROX     4

